Skip to main content

Statistical properties of side-channel and fault injection attacks using coding theory

Abstract

Naïve implementation of block ciphers are subject to side-channel and fault injection attacks. To deceive side-channel attacks and to detect fault injection attacks, the designer inserts specially crafted error correcting codes in the implementation. The impact of codes on protection against fault injection attacks is well studied: the number of detected faults relates to their minimum distance. However, regarding side-channel attacks, the link between codes and protection efficiency is blurred. In this paper, we relate statistical properties of code-based countermeasures against side-channel attacks to their efficiency in terms of security, against uni- and multi-variate attacks.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Listing 1

Notes

  1. For instance, in the AES block cipher, the substitution box has 256 entries, hence recomputation requires 256 memory accesses. The number of substitution box calls in the algorithm is 16 (resp. 4) per round for the datapath (resp. key schedule), hence a total of (16 + 4) × 10 = 200 calls, which is indeed less than 256.

  2. Systems with multiple processors speed up memory accesses using data and instruction memory caches, which are shared by the processors; if a data which is not in the cache memory is fetched, then there is a cache miss (which takes a long time) otherwise, there is a cache hit (which is fast). Thus the hit/miss patterns betray the memory access sequence.

  3. Beware that the high-order implementation in this publication is flawed. For fixes, please refer to [21].

  4. The perfect masking scheme introduced in 2001 [9] is perfect in that it ensures perfect independence at word-level between tuples of intermediate variable missing at least one share. However, it is not perfect in the sense of bit-level security. Hence the later introduction in 2011 of leakage squeezing masking scheme [38] and in 2015 of inner product masking scheme [3].

  5. Notice that in Listing 1 and in the rest of this section, the symbol X denotes the dummy variable for field \(\mathbb {F}_{2}\) extension to \(\mathbb {F}_{16}\). Thus, it shall not be confused with X, the sensitive variable (recall (1)).

  6. See http://www.unilim.fr/pages_perso/philippe.gaborit/SD/GF2/GF2II.htm.

References

  1. Alahmadi, A., Güneri, C., Shohaib, H., Solé, P.: Long quasi-polycyclic t-CIS codes. CoRR, arXiv:1703.03109 (2017)

  2. Azzi, S., Barras, B., Christofi, M., Vigilant, D.: Using linear codes as a fault countermeasure for nonlinear operations: application to AES and formal verification. J. Cryptogr. Eng. 7(1), 75–85 (2017)

    Article  Google Scholar 

  3. Balasch, J., Faust, S., Gierlichs, B.: Inner product masking revisited. In: Oswald and Fischlin [46], pp. 486–510 (2015)

  4. Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B.: Compositional verification of higher-order masking: application to a verifying masking compiler. IACR Cryptology ePrint Archive 2015, 506 (2015)

    MATH  Google Scholar 

  5. Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald and Fischlin [46], pp. 457–485 (2015)

  6. Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.-X., Strub, P.-Y.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron, J.-S., Nielsen, J.B. (eds.) Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I, vol. 10210 of Lecture Notes in Computer Science, pp. 535–566 (2017)

  7. Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptology 24(2), 269–291 (2011)

    MathSciNet  Article  MATH  Google Scholar 

  8. Bhasin, S., Danger, J.-L., Guilley, S., Najm, Z.: A low-entropy first-degree secure provable masking scheme for resource-constrained devices. In: Proceedings of the Workshop on Embedded Systems Security, WESS 2013, Montreal, Quebec, Canada, September 29 - October 4, 2013, pp. 7:1–7:10. ACM (2013)

  9. Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M. A. (eds.) Selected Areas in Cryptography, vol. 3357 of Lecture Notes in Computer Science, pp. 69–83. Springer (2004)

  10. Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal direct sum masking – a smartcard friendly computation paradigm in a code, with builtin protection against side-channel and fault attacks. In: WISTP, vol. 8501 of LNCS, pp. 40–56. Springer, Heraklion, Greece (2014)

  11. Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal direct sum masking – a smartcard friendly computation paradigm in a code, with builtin protection against side-channel and fault attacks. In: Naccache, D., Sauveron, D. (eds.) Information Security Theory and Practice. Securing the Internet of Things - 8th IFIP WG 11.2 International Workshop, WISTP 2014, Heraklion, Crete, Greece, June 30 - July 2, 2014. Proceedings, vol. 8501 of Lecture Notes in Computer Science, pp. 40–56. Springer (2014)

  12. Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal Direct Sum Masking: A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks. Cryptology ePrint Archive, Report 2014/665. http://eprint.iacr.org/2014/665/ (extended version of conference paper [10]) (2014)

  13. Bruneau, N., Guilley, S., Heuser, A., Rioul, O.: Masks will fall off – higher-order optimal distinguishers. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology – ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014, Proceedings, Part II, vol. 8874 of Lecture Notes in Computer Science, pp. 344–365. Springer (2014)

  14. Bruneau, N., Guilley, S., Najm, Z., Teglia, Y.: Multivariate high-order attacks of shuffled tables recomputation. J. Cryptol. 1–43 (2017). https://link.springer.com/article/10.1007/s00145-017-9259-7

  15. Carlet, C.: Correlation-immune boolean functions for leakage squeezing and rotating s-box masking against side channel attacks. In: Gierlichs, B., Guilley, S., Mukhopadhyay, D. (eds.) SPACE, vol. 8204 of Lecture Notes in Computer Science, pp. 70–74. Springer (2013)

  16. Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H.: Leakage squeezing of order two. In: Galbraith, S D, Nandi, M. (eds.) Progress in Cryptology - INDOCRYPT 2012, 13th International Conference on Cryptology in India, Kolkata, India, December 9–12, 2012. Proceedings, vol. 7668 of Lecture Notes in Computer Science, pp. 120–139. Springer (2012)

  17. Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H.: Leakage Squeezing of Order Two. Cryptology ePrint Archive Report 2012/567 (2012). http://eprint.iacr.org/2012/567

  18. Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H.: Leakage squeezing: optimal implementation and security evaluation. J. Mathematical Cryptology 8(3), 249–295 (2014)

    MathSciNet  Article  MATH  Google Scholar 

  19. Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H., Prouff, E.: Achieving side-channel high-order correlation immunity with leakage squeezing. J. Cryptogr. Eng. 4(2), 107–121 (2014)

    Article  Google Scholar 

  20. Carlet, C., Gaborit, P., Kim, J.-L., Solé, P.: A new class of codes for boolean masking of cryptographic computations. IEEE Trans. Inf. Theory 58(9), 6000–6011 (2012)

    MathSciNet  Article  MATH  Google Scholar 

  21. Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for s-boxes. In: Canteaut, A. (ed.) Fast Software Encryption - 19th International Workshop, FSE 2012, Washington, DC, USA, March 19–21, 2012. Revised Selected Papers, vol. 7549 of Lecture Notes in Computer Science, pp. 366–384. Springer (2012)

  22. Carlet, C., Guilley, S.: Complementary dual codes for counter-measures to side-channel attacks. Adv. Math. Commun. 10(1), 131–150 (2016)

    MathSciNet  Article  MATH  Google Scholar 

  23. Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic decomposition for probing security. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part I, vol. 9215 of Lecture Notes in Computer Science, pp. 742–763. Springer (2015)

  24. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S. Jr., KoÇ, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised Papers, vol. 2523 of Lecture Notes in Computer Science, pp. 13–28. Springer (2002)

  25. Chee, Y.M., Cherif, Z., Danger, J.-L., Guilley, S., Kiah, H.M., Kim, J.-L., Solé, P., Zhang, X.: Multiply constant-weight codes and the reliability of loop physically unclonable functions. IEEE Trans. Inf. Theory 60(11), 7026–7034 (2014)

    MathSciNet  Article  MATH  Google Scholar 

  26. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Improved collision-correlation power analysis on first order protected AES. In: Preneel and Takagi [49], pp. 49–62 (2011)

  27. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P. Q., Oswald, E. (eds.) EUROCRYPT, vol. 8441 of Lecture Notes in Computer Science, pp. 441–458. Springer (2014)

  28. Danger, J.-L., Guilley, S.: Cryptography circuit protected against observation attacks, in particular of a high order. International patent, granted as CA2749961, CN102405615, ES2435721, EP2380306, FR2941342, JP2012516068, KR20120026022, SG173111, US2012250854 and WO2010084106 (2010)

  29. Guilley, S., Heuser, A., Rioul, O.: A key to success - success exponents for side-channel distinguishers. In: Biryukov, A., Goyal, V. (eds.) Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6–9, 2015, Proceedings, vol. 9462 of Lecture Notes in Computer Science, pp. 270–290. Springer (2015)

  30. Guilley, S., Heuser, A., Rioul, O.: Codes for side-channel attacks and protections. In: El Hajji, S., Nitaj, A., Souidi, E.M. (eds.) Codes, Cryptology and Information Security - Second International Conference, C2SI 2017, Rabat, Morocco, April 10–12, 2017, Proceedings - In Honor of Claude Carlet, vol. 10194 of Lecture Notes in Computer Science, pp. 35–55. Springer (2017)

  31. Heuser, A.: Distinguishing Distinguisher: A Theoretical Approach to Side-channel Analysis. PhD thesis, TELECOM-ParisTech (2015)

  32. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: CRYPTO, vol. 2729 of Lecture Notes in Computer Science, pp. 463–481. Springer, Santa Barbara (2003)

  33. Joye, M., Tunstall, M.: Fault Analysis in Cryptography. Springer LNCS. https://doi.org/10.1007/978-3-642-29656-7; ISBN 978-3-642-29655-0. (2011)

  34. Karmakar, S., Chowdhury, D.R.: Leakage squeezing using cellular automata. In: Kari, J., Kutrib, M., Malcher, A. (eds.) Automata, vol. 8155 of Lecture Notes in Computer Science, pp. 98–109. Springer (2013)

  35. Karpovsky, M.G., Kulikowski, K.J., Taubin, A.: Differential fault analysis attack resistant architectures for the advanced encryption standard. In: Quisquater, J.-J., Paradinas, P., Deswarte, Y., El Kalam, A.A. (eds.) Smart Card Research and Advanced Applications VI, IFIP 18th World Computer Congress, TC8/WG8.8 & TC11/WG11.2 Sixth International Conference on Smart Card Research and Advanced Applications (CARDIS), 22–27 August 2004, Toulouse, France, vol. 153 of IFIP, pp. 177–192. Kluwer/Springer (2004)

  36. Kim, H., Hong, S., Lim, J.: A Fast and Provably Secure Higher-Order Masking of AES S-Box. In: Preneel and Takagi [49], pp. 95–107 (2011)

  37. Maghrebi, H., Carlet, C., Guilley, S., Danger, J.-L.: Optimal first-order masking with linear and non-linear bijections. In: Mitrokotsa, A., Audenay, S. (eds.) AFRICACRYPT, vol. 7374 of Lecture Notes in Computer Science, pp. 360–377. Springer (2012)

  38. Maghrebi, H., Guilley, S., Danger, J.-L.: Leakage squeezing countermeasure against high-order attacks. In: Ardagna, C.A., Zhou, J. (eds.) Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication - 5th IFIP WG 11.2 International Workshop, WISTP 2011, Heraklion, Crete, Greece, June 1–3, 2011. Proceedings, vol. 6633 of Lecture Notes in Computer Science, pp. 208–223. Springer (2011)

  39. Maghrebi, H., Rioul, O., Guilley, S., Danger, J.-L.: Comparison between side-channel analysis distinguishers. In: Chim, T.W., Yuen, T.H. (eds.) ICICS, vol. 7618 of LNCS, pp. 331–340. Springer (2012)

  40. Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Schneier, B. (ed.) Fast Software Encryption, 7th International Workshop, FSE 2000, New York, NY, USA, April 10–12, 2000, Proceedings, vol. 1978 of Lecture Notes in Computer Science, pp. 150–164. Springer (2000)

  41. Messerges, T S.: Using second-order power analysis to attack DPA resistant software. In: CHES, vol. 1965 of LNCS, pp. 238–251. Springer, Worcester (2000)

  42. Moradi, A.: Statistical tools flavor side-channel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT, vol. 7237 of Lecture Notes in Computer Science, pp. 428–445. Springer (2012)

  43. Moradi, A., Standaert, F.-X.: Moments-correlating DPA. IACR Cryptology ePrint Archive 2014, 409 (2014)

    Google Scholar 

  44. Nassar, M., Guilley, S., Danger, J.-L.: Formal analysis of the entropy / security trade-off in first-order masking countermeasures against side-channel attacks. In: Bernstein, D.J., Chatterjee, S. (eds.) Progress in Cryptology - INDOCRYPT 2011 - 12th International Conference on Cryptology in India, Chennai, India, December 11–14, 2011. Proceedings, vol. 7107 of Lecture Notes in Computer Science, pp. 22–39. Springer (2011)

  45. NIST/ITL/CSD: Advanced Encryption Standard (AES). FIPS PUB 197. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf (also ISO/IEC 18033-3:2010) (2001)

  46. Oswald, E., Fischlin, M. (eds.): Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I, vol. 9056 of Lecture Notes in Computer Science. Springer (2015)

  47. Pan, J., den Hartog, J I., Lu, J.: You cannot hide behind the mask: power analysis on a provably secure s-box implementation. In: Youm, H.Y., Yung, M. (eds.) Information Security Applications, 10th International Workshop, WISA 2009, Busan, Korea, August 25–27, 2009, Revised Selected Papers, vol. 5932 of Lecture Notes in Computer Science, pp. 178–192. Springer (2009)

  48. Poussier, R., Guo, Q., Standaert, F.-X., Carlet, C., Guilley, S.: Connecting and improving direct sum masking and inner product masking. In: Teglia, Y., Eisenbarth, T. (eds.) Smart Card Research and Advanced Applications - 16th International Conference, CARDIS 2017, Lugano, Switzerland, November 13–15, 2017, Revised Selected Papers, Lecture Notes in Computer Science. Springer (2017)

  49. Preneel, B., Takagi, T. (eds.): Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 – October 1, 2011. Proceedings, vol. 6917 of LNCS, Springer (2011)

  50. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES, vol. 6225 of LNCS, pp. 413–427. Springer (2010)

  51. Schneider, T., Moradi, A., Güneysu, T.: Parti - towards combined hardware countermeasures against side-channel and fault-injection attacks. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, vol. 9815 of Lecture Notes in Computer Science, pp. 302–332. Springer (2016)

  52. Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA, vol. 3860 of LNCS, pp. 208–225. Springer (2006)

  53. Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5–9, 2010. Proceedings, vol. 6477 of Lecture Notes in Computer Science, pp. 112–129. Springer (2010)

  54. Teglia, Y., Liardet, P.-Y., Pomet, A.: Protection of the execution of a DES algorithm. US Patent 8,144,865 (2012)

  55. Tunstall, M., Whitnall, C., Oswald, E.: Masking tables – an underestimated security risk. In: Moriai, S. (ed.) FSE, vol. 8424 of Lecture Notes in Computer Science, pp. 425–444. Springer (2013)

  56. University of Sydney: Magma Computational Algebra System. http://magma.maths.usyd.edu.au/magma/, Accessed on 2014-08-22

  57. Waddle, J., Wagner, D.A.: Towards efficient second-order power analysis. In: Joye, M., Quisquater, J.-J. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2004: 6th International Workshop Cambridge, MA, USA, August 11–13, 2004. Proceedings, vol. 3156 of Lecture Notes in Computer Science, pp. 1–15. Springer (2004)

  58. Wang, W., Standaert, F.-X., Yu, Y., Pu, S., Liu, J., Guo, Z, Gu, D.: Inner product masking for bitslice ciphers and security order amplification for linear leakages. In: Lemke-Rust, K., Tunstall, M. (eds.) Smart Card Research and Advanced Applications - 15th International Conference, CARDIS 2016, Cannes, France, November 7–9, 2016, Revised Selected Papers, vol. 10146 of Lecture Notes in Computer Science, pp. 174–191. Springer (2016)

Download references

Acknowledgements

The authors wish to thank Patrick Solé for valuable inputs and suggestions about this article. This work was supported in part by National Natural Science Foundation of China (No. 61632020), and by the ANR CHIST-ERA project https://secode.enst.fr/ (Secure Codes to thwart Cyber-physical Attacks). The authors are also grateful to Félix Ulmer from University of Rennes 1 for inputs about lifting of binary codes on larger structures of size 2m, where m > 1.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sylvain Guilley.

Additional information

This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of Symmetric Ciphers

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Carlet, C., Guilley, S. Statistical properties of side-channel and fault injection attacks using coding theory. Cryptogr. Commun. 10, 909–933 (2018). https://doi.org/10.1007/s12095-017-0271-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-017-0271-4

Keywords

  • Detection of faults
  • Masking countermeasure
  • Statistics of leakage
  • Uni- and multi-variate side-channel attacks
  • High-order attacks
  • Probing security model
  • Bounded moment security model
  • Inner product masking
  • Leakage squeezing masking

Mathematics Subject Classification (2010)

  • 62B10
  • 62P30